NZDSOS has received correspondence asking both how to provide security on similar sites, and also questioning the security methodology.
While it’s not sensible to document everything, there’s no harm in outlining the philosophy and the stuff that is immediately apparent to anyone with IT experience.
The platform security philosophy is:
- The purpose of security is to keep the site online, and provide confidence for correspondents that sensible precautions are in place
- Like Snowden said, we do the convenient easy stuff, but no point getting hung up
- We do not have the resources for all the specialist security disciplines, so store the minimum information
- We acknowledge every security product is inevitably breached by some state actor
- Providing we lock the front door, the people with the means to take this site down have bigger fish to fry
- It’s not us doing the illegal stuff
(1) We use Cloudflare for network security, which has the benefit of:
- Removing some of the security risks
- Stripping out the traffic load from bots
- Reducing hosting load through caching
Because we only want word of mouth traffic from New Zealand, all facebook and google traffic is blocked and we’ve made a discovery that we normally wouldn’t think about. 98% of the traffic hitting the NZDSOS site is crawler bots. Using our analytics data as an example, that suggests when a business pays $100 for hosting, facebook consumes $50, google consumes $45 etc, down to customers get $2.
With crawlers blocked, we now support high traffic volumes at low cost e.g. up to 7000 page views per day, 1000 signatures per day, and about 10 million requests per week.
We also attributed the weird lack of spam/trolls from the Contact page to blocking bots, but it’s subsequently been pointed out that it’s more likely due to ring-fencing of different browsing profiles via products like “Google Moonshot”. That’s the technology that returns different search results for the same search terms to different people.
Interestingly, google has now blocked searches for “NZDSOS” at the data level, so https://nzdsos.com no longer appears in duckduckgo. How fortunate we are as NZers to have a faceless US corporate to decide for us who we may listen and talk to.
(2) The website is hosted using WordPress for convenience. We’ve got a few years’ collective experience with WordPress, but if anyone wants to let us know about rookie mistakes, we’re all ears.
(3) Our website hosting service is not subject to NZ or US law (as near as we can tell). The .com domain suffix may not have been the cleverest choice.
To those sending correspondence, we are receiving and acting upon information, but we’re snowed between one thing and another, and not able to co-ordinate replies to anything but the most urgent issues.